In the digital era, it is easy to be blinded by the lights of new technologies. However, this can cause us to disregard the factors which pose a threat to insider risk. Tony Pepper, CEO, Egress, discusses insider breach risks and suggests the way we understand and manage insider risk needs to change to comply with today’s data security challenges.
Insider data breach risk has existed for as long as companies have but its nature, impact and a business’ ability to control it has changed dramatically in the digital data-driven age. As a valuable commercial asset, data is a target for theft by malicious actors within and outside the business, while as a regulated liability, it must also be protected from accidental loss or exposure. Data security is a board-level concern and gaining a better understanding of insider breach risk helps directors ensure it is managed effectively.
The digital workplace puts data on the front line
The first step in understanding the evolution of insider breach risk is to acknowledge the effect of unprecedented transformation of the workplace and employees’ relationship with technology and data. Increased mobility and the rise of remote, flexible working mean human-digital interaction is near constant. This blurs the lines between work and homelife, creating an ‘always-on’ culture where employees juggle diverse priorities simultaneously.
At the same time, data volumes have increased exponentially and businesses have become hyperconnected, providing workers with multiple channels for data sharing. Yet, despite these immense changes, employees remain the same; as fallible and fundamentally human as ever. So, we’re looking at a world where a single mistake made by a pressured employee – a mistyped email address or response to a phishing email – can cause an accidental breach of huge scale and devastating impact, while employees with malicious intent have every tool they need at their disposal.
We ask our workforce to do more, share more and make snap judgements about data sensitivity, appropriate protection and the authenticity of email correspondents, all at the relentless pace of competitive business. This is set against a backdrop of punitive data protection regulations. This is a new environment where data is on the front line and risk has increased disproportionately.
This shift means the way we understand and manage insider risk needs to change too. We must view it in the context of the modern workplace and data security landscape and ask: are our expectations of employees’ ability to keep data safe in this environment realistic? Are we adequately supporting the human layer of security?
Concern: IT leaders are viewing a new type of risk through an old lens
Evidence from our recent Egress Global Insider Breach Survey indicates IT leaders are struggling to adapt how they view and manage insider risk in this new landscape. The research asked 500 IT leaders and 5,000 employees about causes, frequency and impacts of internal security breach incidents and views about data risk and ownership. It highlighted discrepancies between IT leaders’ perceptions of insider breach risk and how they are managing it.
A staggering 97% of IT leaders are concerned about this risk. A total of 78% believed employees had leaked data accidentally in the past 12 months and three-quarters believed they had done so intentionally. Looking ahead, 36% said it was likely employees would put data at risk in the coming year.
Despite this concern, when asked what security tools they have in place to mitigate insider breaches, just half of IT leaders said they are using anti-virus software to combat phishing attacks, 48% are using email encryption to protect data and 47% provide secure collaboration tools.
IT leaders appear resigned to a degree of inevitability when it comes to insider breaches, acknowledging the sustained risk but not adopting new strategies or technologies to mitigate them. They’re viewing a new risk through an old lens by continuing to focus on static prevention strategies aimed at securing the devices and network layers, rather than addressing the human layer where mistakes are actually made. Effectively they are adopting a risk posture in which employees putting data at risk is deemed acceptable. From a board-level perspective, this must be cause for serious concern.
Components: Analysing the human layer
Employees offer considerable insight into insider breach risk. Our research found 27% said they or a colleague had accidentally leaked data in the past year and 29% had deliberately breached company policy when sharing data.
The effect of the mobile, always-on culture was reflected in reasons employees gave for accidental data leaks. A total of 23% said they had done so because they were using a mobile device and the same percentage said they were under pressure when they made the error. One in five cited tiredness as the cause of their mistake. The ever-growing risk from phishing emails was a factor in 41% of accidental data breaches, while 31% admitted accidentally sending data to the wrong person. These figures are needlessly high given the availability of security tools that use contextual Machine Learning to prevent misdirected emails, stop the wrong attachments being attached, alert users to phishing emails and help employees use encryption tools correctly.
Reasons given for deliberate breaches reflect everyday frustrations and ethical frailty in the workforce. A quarter took a risk and shared data against company policy because they didn’t have the right tools to share it safely, while 46% took company data with them when they went to a new job. These responses show employees are not being supported to share data safely and that a significant percentage should be monitored more closely based on breach risk.
C-level executives should also recognise the diverse personality types that present varying risks. Our research showed that, on average, more senior employees are more likely to intentionally breach data sharing rules. A total of 78% of director-level employees said they had done so in the past year, compared with 10% of clerical workers. In contrast, 44% of clerical staff have misdirected an email, while only 20% of directors admitted to making this mistake.
Another aspect affecting insider risk is employees’ attitudes to data ownership. Our research found only 41% understand that data belongs exclusively to the business. Others felt it belonged to departments, teams or individuals that had worked on it. This proprietary view explains employees’ tendency to take data with them to new jobs or take risks when sharing data.
Again, this points to the need to support and manage the human layer of data security. In a pressurised, connected workplace, it’s not realistic to expect that employees will get things right every time, or that they will always act honourably in accordance with company policy. At Egress we understand this and we have developed contextual Machine Learning tools that provide a safety net for users to prevent breaches, protect data and ensure regulatory compliance against the new generation of human-activated breaches – without compromising productivity.
Gaining a better understanding of insider breach risk means executives must recognise how it has evolved; understand how employees view data ownership and the different personalities in the workforce that put data at risk; and ultimately ensure IT leaders are deploying solutions that mitigate today’s risks, not those of the past.